Cybersecurity and HVAC: Are You Vulnerable?
By Dwayne Melancon, chief technology officer, Tripwire
Increasingly, commercial heating, ventilation and air-conditioning (HVAC) and other building management systems in retail stores are connected to the Internet. And as recent events have shown, such systems (often called “smart systems”) also raise big security implications.
One of the risks associated with smart systems is that they are often accessed and managed by a pool of people. Some of these folks may be working for a contractor or a third-party vendor hired to manage a particular infrastructure, such as the HVAC. Once a person logs in to access the controls, they tend to remain the same for quite some time. Also, because technicians need to be able to find information quickly, crucial data tends to be stored in many different places, making it accessible to even more people. Such a situation allows a wide network of individuals, including even associates of contractors, to gain access to the credentials to an HVAC system.
For many devices, this kind of access may not be a big deal. However, the security implications can be serious if any of these building management systems are on the same network as critical corporate assets. The situation is particularly worrisome if these systems are part of the corporate network. The reality is, without broader security scrutiny, even systems as mundane as HVAC can be used as a launch point to attack other systems in the network.
Based on the latest information available, this could be exactly what happened at Target. I can’t think of a good business reason why an HVAC system would be able to connect directly to point-of-sale infrastructure — other than someone just not thinking about it as an attack path that could be used by malicious individuals.
Information security is often outside the core competencies of retailers, which makes it more difficult for them to be able to effectively evaluate risk holistically, especially risks associated with the interconnected systems that support today’s businesses. One of the notions I have been advocating is to take a "connect security to the business" approach in which people engage in a concerted effort to understand the relationships between IT infrastructure and critical business processes. As the number of cyber attacks increase, such an understanding will become a core requirement for businesses, and its importance will only increase in the future.
There’s an old saying that goes "you can’t pick up one end of the stick" – this sentiment is true for information security. Everything is connected, and once you touch one part of the infrastructure, you can’t forget about what happens to the rest. The problem is that in implementing “smart devices,” such as HVAC controls, many retailers haven’t thought through the security risks of placing these devices on a production network with access to other sensitive data or systems.
Target’s experience illustrates the need for security professionals to take a step back and look at the overall ecosystem of devices and how they are connected. Attackers will find and exploit the weakest link in an interconnected network every time.
The link between automated building systems and security breaches will be explored at the SPECS workshop entitled “Tech Boot Camp: Operational Technology,” which will be held on Tuesday, March 11 at 1:40 p.m.
RetailMeNot’s mobile net revenues surge
Digital coupon marketplace RetailMeNot said that its investments are paying off, following a strong performance in the fourth quarter ended Dec. 31, 2013.
The company reported net revenues for the quarter of $78.5 million, an increase of 55% compared to $50.8 million the prior-year quarter. Organic net revenues, which exclude net revenues from acquired businesses not owned during both comparative periods, increased 50%.
Mobile net revenues totaled $11.7 million, a 179% surge from $4.2 million for the prior-year period. Net revenues from international markets totaled $16.3 million, up 85% compared from $8.8 million.
Visits to the websites grew 24% to 184.1 million, compared to 148.4 million.
"Our strong performance in 2013 was enabled by the investments we have made in people, technology and marketing to position the company for long-term growth. In the fourth quarter in particular, we saw these investments pay off in our strong performance as a solid e-commerce environment and a shorter holiday shopping season saw heavy retailer promotional activity," said founder, president and CEO Cotter Cunningham. "Looking into 2014, we remain committed to making investments that will focus on delivering the highest value content for consumers, strengthening our community and enhancing our web and mobile offerings to position the company for long-term growth."
As of Dec. 31, 2013, more than 13.7 million apps were downloaded globally between RetailMeNot.com, VoucherCodes.co.uk, Poulpeo.com and Bons-de-Reduction.com, up from 4.5 million which were downloaded as of Dec. 31, 2012. During the fourth quarter, mobile app sessions totaled 116.5 million, versus 16.7 million during the fourth quarter of 2012.
Cold January for some retailers
New York — Snowstorms and bitterly cold weather took a bite out of sales for some retailers in January. One of the retailers feeling the chill was Fred’s, which posted a 1.8% decline in January same-store sales.
"The weather was a significant challenge for us in January," said CEO Bruce Efird, who added that it disrupted shopping patterns, but also resulted in “more than 120 store closings during the final week of the month."
The Buckle reported a 6.6% drop. Zumiez reported a 7.6% decline. Stein Mart saw its same-store sales inch down 0.7%.
But a couple of retailers managed to buck the trend. L Brands, formerly Limited Brands, said that its January same-store sales rose 9%. Costco Wholesale Club had a 5% increase, excluding gasoline.